searching logs for key phrases

Mike Kienenberger (mkienenb@arsc.edu)
Tue, 26 Nov 96 13:07:53 -0900

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: adamsb@un.org: "Heard around the hog pens"
Previous message: Glenn C. Everhart 603 881 1497: "Re: Signs of an Intruder"
Next in thread: Guido van Rooij: "Re: searching logs for key phrases"

What key phrases do people scan log files for?

At our site, we log everything we can to a central "more secure" logging  
server.  We divide our logging up into three files: SYSLOG.mail for all mail,  
SYSLOG.auth for authentication, and SYSLOG for everything else.

On our IRIX 5.3 systems, I've found that searching for the following are helpful
:

VRFY            /usr/adm/*SYSLOG.mail   check mail logs for VRFY commands
EXPN            /usr/adm/*SYSLOG.mail   check mail logs for EXPN commands
" command "     /usr/adm/*SYSLOG.mail   check mail logs for debug/wiz commands

deni                    /usr/adm/*SYSLOG.auth   check for denied net cmds in SYS
LOG
fail                    /usr/adm/*SYSLOG.auth   check for failed login  
attempts (passwords
                                                                        at  
the login prompt; brute force attacks, etc)

Does anyone have other things you look for on a regular basis?

I'm eventually hoping that we'll start using one of the log filter packages  
out there on
the net.  Anyone compared the various log filtering packages out there?  Do any 
of
the packages come with preset standard patterns to search for?

Thanks!
---
Mike Kienenberger    Arctic Region Supercomputing Center
Systems Analyst      (907) 474-6842
mkienenb@arsc.edu    http://www.arsc.edu

Next message: adamsb@un.org: "Heard around the hog pens"
Previous message: Glenn C. Everhart 603 881 1497: "Re: Signs of an Intruder"
Next in thread: Guido van Rooij: "Re: searching logs for key phrases"